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Industry Landscape on Cybersecurity: 
Attacks are real and frequent 


° Service disruption 
> A major UK bank out of internet banking services for 
several hours 


@ Information loss 
> A major US bank got the data of 83 million customers 
stolen 





ө Financial loss 
> А central bank account lost US$81 million 





A WE az HE BH Jay 
Industry Landscape on Cybersecurity: 
Many banks are taking serious measures 


Ф Global banks are spending top dollars 


> Total annual expenses on cybersecurity of top firms: over A Olé / 
US$1 billion ee 


@ More information is being shared / 
> Banks have been sharing threat information for some time 
> Rising momentum of cooperation; largest players working 
closer to share intelligence, rehearsal plans, etc. 





@ Many banks are looking for more experts 
> Evidenced by the ever-increasing training efforts by banks 
and training providers, and specialisations of expertise 
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Industry Landscape on Cybersecurity: 
Top of regulators’ agendas 


° HKMA: Cybersecurity Fortification Initiative 
> Three-pronged approach: framework, training, platform noxe koxe monetary auront 
> Announced its launch in May 2016 KELMI 


@ Similar efforts made by other bank regulators 


> US: Federal Financial Institutions Examination Council le 
(FFIEC) developed a Cybersecurity Assessment Tool to ASD 
help banks identify risks, determine preparedness 


> UK: Bank of England (BoE) developed an Intelligence- 
Led Testing Framework, known as CBEST 





fa BANK OF ENGLAND 





MA’s Cybersecurity Fortification Initiative 
(ош) 
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НКМА”5 Cybersecurity Fortification Initiative (CFI) 





e Launched іп Мау 2016; tailored for banks (also ЕМІ5) 
e Help enhance cyber resilience of institutions through three elements: 


> Cyber Resilience Assessment Framework 
> Professional Development Programme 


> Cyber Intelligence Sharing Platform 





Link to further details of the CFI programme presented at the Cybersecurity Summit in May 2016 
http://www. hkma.gov.hk/media/eng/doc/key-information/speeches/s20160518e2. pdf 8 
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Cyber Resilience Assessment Framework (C-RAF) 


For assessing banks’ inherent risks, testing resilience, identifying gaps, charting routes for improvements 


@ Consultation with the banking sector (25/5 — 31/8) 
> Industry welcomes the framework; over 170 valuable comments 


Ф Possible improvements on document include: 
> Aglossary of terms (to clarify definitions) RAE 
> For different “control principles”, we may 


v re-position some to a different classification (maturity level) 


У re-word some to allow more flexibility (e.g. ...one should do 
something “in a timely manner” instead of “simultaneously”) 


Y remove some in view of technical difficulties (e.g. assigning 
potential losses by cost centres) 
ө Way forward 
> Revision of framework underway 
> To further discuss with HKAB on proposed revisions soon 
> Implementation details available around the end of 2016 
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Professional Development Programme (PDP) 


A training and certification scheme; graduates may carry out assessment/testing required by CFI 


e Consultation with the banking and IT sectors (19/7 — 31/8) 
> Draft sent to over 10 parties, including industry 
associations, universities; received 22 comments 


Ф Industry welcomes the proposed scheme 


> Provide the financial industry with much needed 
cybersecurity talent 
> Support recognising eguivalent gualifications 





° Way forward 


> To roll out the first training courses by the end of this year 

> Setting up a panel to consider equivalent qualifications 
(comprising representatives from academia and the 
banking and IT industries) 
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Cyber Intelligence Sharing Platform 


A one-stop shop for threat intelligence, alerts and solutions, with professional help 


ө Defined key functions: 
» Hub for sharing of threat intelligence by participants 
> Regular intelligence reports (including daily alerts) 
> Actionable solutions 
> Trend analysis 


° Other features: 
> Covers intelligence in the Chinese language 
> Secured communication channels with robust encryption 


© Recent progress of developments: 
> Hardware being deployed and configured; application development underway 
> Intelligence from commercial sources being evaluated 


© Way forward 
> First version of the platform will be operational by end-2016 





Key Messages 
Preparing for tomorrow's challenges today 
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1. Attacks will get more hostile, frequent, and unpredictable 


Ф Malicious attacks are increasingly multifaceted: 


> Different sources: cybercriminals, hacking 
enthusiasts; attackers based locally or overseas, etc. 


> Different motivations: 
For money? 
For sensitive information? 
For “making a statement”? siii 
Or, simply, for “showing off’ skills? hoor tt io 
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2. Cybersecurity is everybody’s business 


© Cybersecurity not just a matter for IT staff, but all users of 
systems 


ө The human factor is often the (overlooked) root cause of 
incident; and a system is as strong as its weakest link 


@ As required by CFI, important to cultivate the right environment 
to prevent and prepare for attacks: 


> Constant attention of senior management 
> Governance arrangements and processes 
> Staff awareness and alertness 

> Robust third-party management 
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3. The HKMA’s CFI provides a good platform but banks 
must do more 


e Cyberattacks are persistent and ever-changing, we will 
never “finish the job”. 


° The СҒІ only serves as a baseline reguirement: 


> Assessment Framework: Minimum requirements are HONG KONG MONETARY AUTHORITY 
=... i T a EA 
set but banks have to further address risks based on 
their specific situations 


> PDP: Give due recognition to qualified professionals, 
and encourage continuous professional training 


> Intelligence sharing platform: More useful when 
everyone shares promptly and act swiftly on 
intelligence 





Thank you 
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